On 7/3/05, Wouter Verhelst <wouter@debian.org> wrote:
> On Sat, Jul 02, 2005 at 05:35:09PM -0700, Michael K. Edwards wrote:
> > On 7/2/05, Andrew Suffield <asuffield@debian.org> wrote:
> > > On Thu, Jun 30, 2005 at 09:43:04PM +0100, Gervase Markham wrote:
> > > > These are two very different cases, though. If a local admin installs a
> > > > new root cert, that's cool - they are taking responsibility for the
> > > > security of those users, and they have extreme BOFH power over them
> > > > anyway. However, having the root appear by default, so that no-one at
> > > > the remote site really knows it's there (who consults the root list) and
> > > > it's now on Y thousand or million desktops - that is a different kettle
> > > > of fish.
> > >
> > > You've missed the really interesting, really important case.
> > >
> > > What about the site admin team for X thousand desktops who produce a
> > > modified firefox package to be used across the whole company? This is
> > > the normal, expected usage of Debian.
> >
> > Happily, trademark law is perfectly indifferent to this case; when the
> > modified package is not advertised, marketed, sold, or otherwise used
> > in commerce under the trademark, there is no case for trademark
> > infringement (AIUI, IANAL).
>
> And?
>
> It's not because Debian doesn't advertise, market, sell, or otherwise
> use in commerce its own modified package that other people don't do
> that. Think of people selling CD images, preinstalled computers...
Note that I was responding specifically to a concern raised by Andrew
about whether the Mozilla Foundation's objections to adding root certs
to the Firefox package would affect corporate site admins who rebuild
Debian's Firefox. As I see it, that is indeed a legitimate scenario
for downstream alteration of the root cert list, but that's OK -- the
trademark "safety zone" automatically extends to the site admin, since
she is not marketing her altered package under the trademark.
In other words, adding root certs is a common case; but adding root
certs _and_marketing_the_result_ is a corner case. I don't have a
problem with a clause in a trademark policy that says, "the 'safety
zone' for descriptive use of our trademark on modified builds does not
extend to people who add root certs without our approval and advertise
or sell the result under our trademark." I think it's fair to say
that QA on the root cert list is rather central to the QA of a
"secure" browser, and for the Mozilla folks to call this out as a
sensitive issue is not only reasonable but perhaps (IANAL) necessary
if they want to retain the trademark.
Cheers,
- Michael